Tuesday, August 11, 2009

Exploiting IPv6 Network Stack: A Pen-tester Approach

The Next-generation protocol, IP version 6, has came out nearly 11 years ago but never been used or practiced in the real world network envrionment. This lack of adoption of technology has not only left many machines in corporate networks without IPv6 implementation but also put a negative affect on networking and operating system vendors. On the other side, due to its fast growth and complexity of implementation in various firewalls and intrusion detection/prevention appliances has revealed the attack surface, as they cannot block malicious IPv6 traffic. The main purpose of this article is to demonstrate the process through which a penetration tester can assess the security of IPv6 enabled environment.

Addressing Scheme

The representation of IPv6 has changed alot from IPv4 addressing scheme. IPv6 network address consists of 128 bits or 16 bytes as a pair of four hex-digits separated by colons. This gives more wider address space and flexibility to segment the addresses accordingly. Lets take some examples to understand the inner workings of IPv6 addressing.

Usually all the IPv6 network nodes are configured with at least one link-local address (fe80::). While performing this automatic configuration, a router discovery request will be sent to all IPv6 enabled routers on their broadcast addresses. Now, if any router respond back, the node will select that site-local address (2000::) for its interface. This scenario introduces a threat where there is no active IPv6 routers and the attacker takes advantage to reply with rogue address. The risk factor of such attack is higher and may cause serious damage and data leakage problems for the organization. Using the mentioned scenario, I will demonstrate the real-world attack on IPv6 network from penetration testing perspective.

1. IPv6 Network ConfigurationTo validate if your system is configured with IPv6 address at particular interface, execute the following command:

IPv6 design introduces a new set of protocol for network discovery. It consists of ICMPv6 Neighbour Discovery and Neighbour Solicitation protocols. In order to enumerate the network hosts, we can use the "IPv6 Attack Toolkit" published by Van Hauser. This task is accomplished using "alive6" program included in the package.

To move towards penetration stage, it is vital to determine all set of vulnerable services running on the target machine. For instance, consider the following NMap results from scanning the IPv6 Windows interface.

# nmap -6 -p1-10000 -n fe80::24c:44ff:fe4f:1a44%eth080/tcp open http135/tcp open msrpc445/tcp open microsoft-ds554/tcp open rtsp1025/tcp open NFS-or-IIS1026/tcp open LSA-or-nterm1027/tcp open IIS1030/tcp open iad11032/tcp open iad31034/tcp open unknown1035/tcp open unknown1036/tcp open unknown1755/tcp open wms9464/tcp open unknown

As we know that Metasploit Framework supports IPv6 sockets. This allow us to use almost any auxiliary and exploit modules against IPv6 hosts same as IPv4. For the purpose of demonstration, I have used MS03-036 (Blaster) exploit to penetrate DCERPC endpoint mapper service (port 135) and get a root shell.